Malicious PDF — malware analysis report

Static analysis result for SHA-256 08b4c75be6cce4da…

MALICIOUS

PDF

6.98 MB
MD5: ceaf212137918f4353bfadc774efde47 SHA-1: cf0a5bb73d6e2b8b5f53a5a41416da8ba69c4798 SHA-256: 08b4c75be6cce4da13645a114b45ac83e15d1ddc6df7ecd6053903e74e5b9d11
72 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF is heavily obfuscated and encrypted, with heuristics indicating the presence of JavaScript used to hide the payload. The embedded JavaScript file is the primary indicator of malicious activity, likely serving as a downloader for further stages. The high stream count and embedded file further suggest complex obfuscation techniques.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3073

Heuristics 5

  • Encrypted PDF carries /js — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/js). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.opm.gov/forms
    • http://travel.state.gov/passport
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.8/
    • http://www.xfa.org/schema/xfa-template/2.8/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.w3.org/2001/XMLSchema-instance
    • http://www.xfa.org/schema/xfa-locale-set/2.7/
    • http://www.xfa.org/schema/xfa-locale-set/2.6/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xfa/promoted-desc/
    • http://www.xfa.org/schema/xfa-form/2.8/
    • http://cgi.adobe.com/special/acrobat/update
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0H
    • http://www.microsoft.com/pki/certs/CSPCA.crt0
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0H
    • http://www.microsoft.com/pki/certs/tspca.crt0
    • http://www.microsoft.com/typography

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0297.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 297 at offset 0xA623 85 bytes
embedded_file_obj0298.bin
400d62b221d788b5c09efdfeb29b87bc6d615b94f5d7598da371c19b387036e2		 pdf-embedded-file PDF EmbeddedFile object 298 at offset 0xA6D7 1594 bytes
embedded_file_obj0299.bin
94068bb4def36c89430fd26629b4fcb0f6c269a65f66e878f30e3d0f51dd8504		 pdf-embedded-file PDF EmbeddedFile object 299 at offset 0xA9C1 4194304 bytes
embedded_file_obj0300.bin
0f910ffeec733940f6ba1ae41dc6770eab5d615c05bccc95197878b62c8dc45f		 pdf-embedded-file PDF EmbeddedFile object 300 at offset 0x173B26 2928 bytes
embedded_file_obj0301.bin
7494470bfb00a3fc0f1eedf5e154a272e46490c6c240d19e605afe575b4b4d79		 pdf-embedded-file PDF EmbeddedFile object 301 at offset 0x173E96 1147 bytes
embedded_file_obj0302.bin
2843fb66dae5734730c57332596714a56c8623392ed05e049abb9d38ca437683		 pdf-embedded-file PDF EmbeddedFile object 302 at offset 0x1740DE 22259 bytes
embedded_file_obj0303.bin
344d56eb0c1fc8bc0236d8e3fa0060fa957908e82deb1a28890f149d084810d4		 pdf-embedded-file PDF EmbeddedFile object 303 at offset 0x174567 69462 bytes
stream_015_off0017532e.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x17532E 870 bytes
stream_016_off00175487.js
f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x175487 1532 bytes
stream_025_off0017829d.bin
8b893f7da4404860687796d05bbcb83eaafc8d49e1ab1f87351b5d9047102f82		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x17829D 76076 bytes
stream_177_off001e4999.bin
54590820964a11442b9ee0993cf1fdd8f13960c0e1769f492801f8cf4c6327e1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1E4999 778532 bytes
objstm_0004_00.bin
3918ae9c74b5f5411563c680c1d52a11821ae3a75a408bc4ff3ddb9eb794866e		 pdf-objstm-decoded PDF /ObjStm 4 0 obj (inflated) 5023 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.